CVE-2025-32027

low-risk

Published 2025-04-10

Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher.

Do I need to act?

0.18% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Yii

Affected Vendors

Yiiframework

References (2)

Patch https://github.com/yiisoft/yii/commit/d386d737861c9014269b7ed8c36c65eadb387368

Vendor Advisory https://github.com/yiisoft/yii/security/advisories/GHSA-7r2v-8wxr-3ch5

/ 100

low-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal